The media’s portrayal of elite hoody-wearing hacker gangs creates a distorted understanding of the risks that we are trying to address and it leaves many executives and IT managers playing a feature comparison game between vendors, and ultimately cherry picking solutions that align with their budget.
We don't sell to our customers, we help them invest. What's the difference?
When you sell to someone you try to convince them to buy something. The selling in this case is a verb and the goal is the sale. When you help customers invest it's about identifying their needs, clarifying the outcomes, educating them on the risk, explaining the options and allowing them the space to make an informed decision that they understand. The process looks different to everyone within the firm, but executives are often more focused on business risk whereas an IT manager might be more concerned the systems administration needs of a particular solution.
To make an informed decision on cyber security, it’s crucial to be clear about risk and accountability. Each organisation is different, with a spectrum of risks, risk tolerances and assigned accountability. An organisation must be clear on their position to succeed in their cyber security journey. Once there is a clear understanding of the organisation, an exercise must be undertaken to determine what risks are to be mitigated via cyber security implementations.
“If you know your enemy and yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in evert battle”. – Sun Tzu, The Art of War.
For example, when considering a cyber security adversary or "threat actor" that we must mitigate against, there is a whole spectrum things to keep in mind.
The environment that we need to secure is constantly evolving. The combination of cloud services and remote work means that sensitive data is often distributed far beyond a single office location and an internet connection is often all that is required to access to data.
- Home / Personal Devices
- Cloud Software as a Service (SaaS)
- Financial Data
- Report Data
- Customer DataMarketing Platforms / CRMS / Social
It is easier than ever for non-IT departments to start up new cloud services by entering company data and when these systems are integrated, they can increase the likelihood of exposure. Anything that may alter the level cybersecurity risk to an organisation must be rationalised and be part of a standard change management process. For an organisation to be secure, it is imperative to have a security minded culture and this must be driven by leadership.
Leaders need to be comfortable with risk. Consider undertaking a car journey, we are taught with the rules of the road, and validated via the provision of a license, we protect ourselves with safety technology such as seat belts and air bags, we drive in accordance with the conditions yet still there are circumstances out of our control that may lead to an accident. This knowledge should not prevent us from driving a car or even being fearful, and the same is true of cyber security.
The mindset should not be about fear, uncertainty and doubt. Leaders should be informed and empowered to make the right decisions. This is where the effective implementation of an appropriate cyber security framework can instil confidence in an executive team.